Morrisons has been found liable for the actions of a former member of its staff who stole the data of thousands of employees and posted it online.
Workers brought a claim against the company after employee Andrew Skelton, former senior internal auditor at the supermarket’s’ Bradford headquarters, stole the data of nearly 100,000 staff. The former employee then posted this payroll information including; salary, bank details, National Insurance details, addresses and phone numbers, on the internet.
Skelton was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.
Lawyers said the data theft meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.
A Landmark Decision
On 1st Decemeber, the data leak trial came to a conclusion. The High Court found Morrisons accountable for the actions of former employee, Andrew Skelton. The judge, Mr Justice Langstaff, ruled that Morrisons was “vicariously liable” for the leak of its employees’ information.
The High Court ruling now allows those affected to claim compensation for the "upset and distress" caused.
The solicitor representing the 5,518 claimants stated that;
“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK. Data breaches are not a trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information – it is about protecting people.”
Morrisons, which denies liability, has said it will appeal the decision.
Commenting on the recent decision, David Gibson of Short Richardson & Forth explains;
“Employers should ensure that the contracts of employment and data protection policies clearly state that such practices could result in disciplinary sanction-including dismissal and criminal prosecution. Employers should undertake spot checks to make sure that all workers understand and are compliant with regard to not misusing information. This includes misuse of information via social media platforms.”
If you are an employer and would like advice on your duties with regard to data protection laws including the upcoming GDPR, please contact David Gibson at email@example.com or telephone 0191 232 0283.